BLOG

UK SOX 2025: What Compliance Leaders Must Do Now to Strengthen Internal Controls

Understand the revised UK Corporate Governance Code, new internal control disclosure requirements, and key steps compliance leaders must take for UK SOX readiness in 2025.

Resolver
· 4 minute read
Isometric illustration of uk sox 2025 showing business professionals around a large checklist connected by lines to icons including a magnifying glass, gavel, scales of justice, books, folders, and pie chart, symbolizing efforts to strengthen internal controls.

The UK’s planned equivalent to the U.S. Sarbanes-Oxley Act has shifted course. In late 2023, the government withdrew its proposed Corporate Reporting and Audit Reform Bill, removing new obligations for large companies to publish detailed statements on resilience, internal controls, fraud, and assurance. The UK SOX 2025 update reflects these changes and sets the stage for what compliance teams will face going forward.

That move didn’t erase the pressure for stronger oversight. The expectation for stronger governance and internal control reporting hasn’t gone away. Instead, the Financial Reporting Council (FRC) moved ahead with targeted updates to the UK Corporate Governance Code. These changes place the responsibility on boards to provide transparent, evidence-based statements on the effectiveness of internal controls. It raises the bar for governance, even without making attestation a legal requirement.

UK SOX 2025: What’s required & what’s delayed

The government’s decision to pause legislation does not remove the pressure on companies to improve internal controls. Under the revised Corporate Governance Code, premium-listed companies had to comply with the new provisions for financial years starting on or after 1 January 2025.

Provision 29, the most significant change requiring board-level declaration on internal control effectiveness, has a longer lead time. It will apply to periods starting on or after 1 January 2026, meaning the first annual reports including these statements will be issued in 2027.

Although the phased approach offers some time to prepare, expectations from boards, auditors, and investors are already rising. Early action is necessary to meet the standard that’s taking shape well before 2026.

What’s changed for UK SOX compliance since 2023

Several important developments have taken place since the government’s initial reform proposal:

  • Provision 29 in force: Boards will need to make an explicit annual declaration on the effectiveness of all material controls, including financial, operational, and compliance-related controls.
  • Broader control scope: “Material controls” must be defined by each board and may include operational, compliance, and financial controls tied to principal risks.
  • More voluntary adoption: Some private and cross-border companies are proactively adopting ICFR and COSO-aligned frameworks to meet investor expectations and market norms.
  • Legislation paused: Instead of a statutory UK SOX framework, the Corporate Governance Code is now the primary driver of reform.

Each of these developments signals a shift away from legislative dependency toward board-level accountability. Even companies not currently bound by the Code are feeling pressure to align, especially those interacting with investors or regulators.

Book a demo to learn more about Resolver’s Internal Controls Management Software! Request Demo

Who’s impacted by these updates?

Direct application is limited to premium-listed companies, including nearly all FTSE 100 and FTSE 250 firms. These companies operate under the “comply or explain” principle of the Code. So, while there is some flexibility, clear explanations will be expected if any provision is not met.

But the reach doesn’t stop there. Large private and Alternative Investment Market (AIM)-listed companies may not be legally bound. Still, many are aligning voluntarily, particularly if they are seeking capital, preparing for IPO, or operating internationally. Subsidiaries of global groups with US or EU listings may need to align with multiple internal control frameworks, making early integration of UK requirements more efficient.

For companies outside the formal scope, meeting these standards can still strengthen investor trust and signal control maturity. Regulators and investors are already applying pressure beyond premium-listed firms. For many, alignment is no longer optional, it’s expected.

What compliance teams should do now

When it comes to UK SOX, 2025 expectations are already shaping board and investor scrutiny. Waiting until the 2026 effective date risks rushed, reactive work. Compliance teams should begin preparing now by:

  • Assessing the current internal control framework: Conduct a comprehensive review of existing controls to identify alignment with the revised Code’s expectations. Include both financial and non-financial controls tied to principal risks.
  • Defining material controls: Engage with the board and risk owners to determine which controls meet the “material” threshold based on potential impact to strategy, operations, compliance, and financial reporting.
  • Preparing board-ready testing summaries: Develop concise, evidence-based reports that present control effectiveness in a way that supports board-level decision-making and disclosure.
  • Establishing a remediation process: Create documented workflows for identifying, addressing, and tracking deficiencies to closure, ensuring timely corrective action.
  • Evaluating internal versus external assurance options: Consider the benefits and limitations of independent assurance to support board confidence in the annual declaration.

The revised Code increases director accountability. Vague or unsupported claims will invite board pushback, investor concern, and auditor attention.

Strong internal controls support more than just UK SOX 2025 readiness. They also:

Icon 1 pharma

 Strengthen investor trust through credible, specific reporting.

Icon 4

 Reduce audit friction by identifying and resolving issues proactively.

Scalable, fully managed service icon

 Support operational resilience by closing gaps that could lead to disruptions or compliance failures.

Icon 1

 Delays now make compliance later more difficult, expensive, and risky.

What UK SOX 2025 updates require in internal control disclosures

The revised Code and accompanying FRC guidance make it clear that internal control disclosures must go beyond boilerplate language. Companies must provide meaningful information that reflects their risk profile. This includes:

  • Framework disclosure: Stating whether COSO, another recognized framework, or a tailored internal approach has been adopted.
  • Defined responsibilities: Clarifying which individuals or committees oversee control design, implementation, and monitoring.
  • Review detail: Explaining how control reviews are planned, what testing methods are used, and the frequency of assessments.
  • Assurance approach: Indicating whether assurance came from internal functions such as internal audit, or from external providers. External audits of internal controls are not required under the Code, but boards are expected to evaluate their use when appropriate.

Investors and regulators expect companies to explain how controls are designed, who owns them, how they’re tested, and how effectiveness is evaluated. High-level summaries won’t meet the standard.

Provision 29 & internal control effectiveness under UK SOX

Provision 29 is at the core of the new expectations, requiring boards to:

  • Annually confirm whether all material controls were effective as of the balance sheet date.
  • Describe the review process, frequency, and methods used to assess controls.
  • Identify any material weaknesses or control failures, explaining their nature and the corrective actions taken or planned.
  • Report on progress made to resolve previously identified deficiencies.

The requirement moves companies away from broad descriptions of internal control systems. Boards are now expected to deliver a clear yes-or-no conclusion, backed by evidence of actual control performance.

Hero internal controls

How Resolver supports UK SOX readiness

Even without formal legislation, the governance expectations are clear and rising. The FRC’s governance code updates are already raising the standard for internal control reporting, and the first companies to implement them will set the tone for the rest of the market.

Boards want clarity. Investors want confidence. Compliance leaders have the opportunity to deliver both by strengthening internal controls now, ahead of formal deadlines.

Resolver’s Internal Controls Management Software helps teams manage compliance, bringing risks, controls, and policies into one view. From there, testing schedules run automatically and reports follow. Those reports give boards clarity without extra preparation. Controls align with COSO, keeping monitoring consistent and reliable. Operators take ownership, with progress tracked in one place. Together, these steps strengthen accountability across the organization.

With Resolver, teams can build a defensible internal controls program that provides both compliance and confidence.

Want to see how our tool supports UK SOX 2025 compliance? Book your demo today!

Table Of Contents
    Related Blogs
    Top Risks for Operations TeamsWhat Reputation Audits Mean for CompaniesResolver's Guide to Building a Risk Assessment Matrix MORE BLOGS

    Discover Resolver's Software

    Incident Management Software

    Protect your organization and prove your security team’s value with Resolver’s Incident Management application. Improve data capture, increase operational efficiency, and generate actionable insights, so you can stop chasing incidents and start getting ahead of them.

    Learn More

    Enterprise Risk Management Software

    Provide your organization’s board and senior leaders a top-down, strategic perspective of risks on the horizon. Manage risk holistically and proactively to increase the likelihood your business will achieve its core objectives.

    Learn More

    Regulatory Compliance

    Save time by monitoring all regulatory compliance activities, providing insights into key risk areas, and then focusing resources on addressing regulatory concerns.

    Learn More

    Request a demo

    By clicking the button below you agree to our Terms of Service and Privacy Policy.
    If you see this, leave it blank.